Privacy policy
Information on the processing of your personal data pursuant to Articles 13 and 14 GDPR and § 25 TDDDG (German Telecommunications and Digital Services Data Protection Act).
1. Privacy at a glance
General information
The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. Detailed information on the subject of data protection can be found in our privacy policy below this text.
Data collection on this website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find the operator's contact details in the section "Information about the controller" of this privacy policy.
How do we collect your data?
On the one hand, your data is collected by you providing it to us. This could, for example, be data you enter into a contact, appointment, application or course-registration form. Other data is collected automatically or with your consent by our IT systems when you visit the website (technical server logs, web analytics).
What do we use your data for?
Part of the data is collected to ensure the website is provided without error. Other data may be used to carry out treatment or application procedures, or for the statistical analysis of user behaviour (where you have consented).
What rights do you have regarding your data?
You have the right at any time to receive information free of charge about the origin, recipients and purpose of your stored personal data. You also have the right to request the correction, deletion or restriction of this data. Consent you have given can be withdrawn at any time for the future. You are also entitled to lodge a complaint with the competent supervisory authority.
2. Hosting
External hosting (Cloudflare Workers + R2)
This website is operated as an edge application by Cloudflare Inc., 101 Townsend Street, San Francisco, CA 94107, USA ("Cloudflare"). Cloudflare provides the global content delivery network as well as the execution of "Workers" (serverless functions). Media content (images, PDF flyers) is stored in Cloudflare R2's EU cluster in the Netherlands. When the website is accessed, the following data in particular is processed on Cloudflare's servers: IP address, date and time of access, pages visited, transferred data volume, browser and operating-system information, referrer URL.
We have concluded a data-processing agreement with Cloudflare pursuant to Art. 28 GDPR. The transfer of data to Cloudflare servers in the USA is additionally based on the European Commission's Standard Contractual Clauses. Cloudflare is also certified under the EU-US Data Privacy Framework (DPF).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing our online services securely, quickly and efficiently).
Further information: cloudflare.com/privacypolicy.
CMS hosting (Hetzner via Dokploy)
The content management system used to maintain the contents of this website is operated on a server of Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. The CMS is only accessible to authorised editors; maintenance is carried out encrypted over HTTPS. We have concluded a data- processing agreement with Hetzner.
Legal basis: Art. 6(1)(f) GDPR. Further information: hetzner.com/legal/privacy-policy.
3. General notes and mandatory information
Data protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data-protection regulations and this privacy policy. We point out that data transmission over the internet (for example when communicating by email) can have security gaps. A complete protection of data against access by third parties is not possible.
Information about the controller
The controller responsible for data processing on this website is:
Therapiezentrum Maliqi · Inh. Qendrim MaliqiYorckstraße 56
04159 Leipzig
Represented by: Qendrim Maliqi
Phone: 0341 9022766
Email: kontakt@therapie-maliqi.de
The controller is the natural or legal person who, alone or jointly with others, decides on the purposes and means of the processing of personal data.
Professional secrecy in the healing professions
As members of a healing profession, we are subject to the professional secrecy sanctioned under criminal law (§ 203 of the German Criminal Code, StGB) and to professional duties of confidentiality. Your treatment data and all information entrusted to us as part of a treatment relationship are processed only within the narrowest necessary circle and only for the purposes permitted by law in each case. Disclosure to third parties takes place only with your express consent or where required by law.
Storage period
Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for processing it ceases to apply. If you assert a legitimate request for deletion or revoke a consent to data processing, your data will be deleted unless we have other legally permissible reasons for retaining your personal data (e.g. retention periods under tax or commercial law, patient records under § 630f of the German Civil Code, BGB, and professional codes). In the latter case, deletion takes place once those reasons cease to apply.
General information on the legal bases for data processing
If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR. In the case of express consent to the transfer of personal data to third countries, processing additionally takes place on the basis of Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information on your end device, processing additionally takes place on the basis of § 25(1) TDDDG. Consent can be withdrawn at any time.
Where your data is required for the performance of a contract or for the carrying out of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. We also process your data where it is required to comply with a legal obligation, on the basis of Art. 6(1)(c) GDPR. Processing may also be based on our legitimate interest under Art. 6(1)(f) GDPR. Where special categories of personal data within the meaning of Art. 9(1) GDPR (health data) are processed, this takes place on the basis of Art. 9(2)(h) GDPR in conjunction with § 22(1) No. 1 lit. b BDSG for the purposes of preventive healthcare or treatment in the healthcare sector.
Recipients of personal data
In the course of our business activities we work with various external bodies. In some cases this also requires the transfer of personal data to those external bodies. We only pass personal data on to external bodies where this is required for the performance of a contract, where we are legally obliged to do so (e.g. transfer of data to tax authorities or statutory health insurers), where we have a legitimate interest under Art. 6(1)(f) GDPR in the transfer, or where another legal basis permits the data transfer. When using processors, we only pass on personal data of our patients and website visitors on the basis of a valid data-processing agreement.
Withdrawal of your consent to data processing
Many data processing operations are only possible with your express consent. You can withdraw a consent you have already given at any time. The legality of any data processing carried out up to the point of withdrawal remains unaffected by the withdrawal.
Right to object to data collection in particular cases and to direct marketing (Art. 21 GDPR)
IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT, AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RELEVANT LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION UNDER ART. 21(1) GDPR).
IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSES OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR SUCH MARKETING (OBJECTION UNDER ART. 21(2) GDPR).
Right to lodge a complaint with the competent supervisory authority
In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority. The competent authority is in particular:
Saxon Data Protection Commissioner (Sächsische:r Datenschutzbeauftragte:r)Devrientstraße 5
01067 Dresden, Germany
Phone: +49 351 49350
Email: saechsdsb@slt.sachsen.de
The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.
Right to data portability
You have the right to have data which we process automatically on the basis of your consent or in performance of a contract handed over to yourself or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place insofar as it is technically feasible.
Information, correction and deletion
Within the framework of the applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of the data processing and, where appropriate, a right to correction or deletion of this data. You can contact us at any time regarding this and further questions on the subject of personal data.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time to do this. The right to restriction of processing exists in the cases listed in Art. 18 GDPR.
SSL / TLS encryption
For security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address bar of the browser changes from "http://" to "https://" and by the lock symbol in your browser bar. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
4. Data collection on this website
Cookies and comparable recognition technologies
Our websites use what are known as "cookies". Cookies are small text files which do no damage to your end device. They are stored on your end device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Permanent cookies remain on your end device until you delete them yourself or until your web browser deletes them automatically.
We store technically necessary cookies (e.g. for storing the language setting or for session management) on the basis of Art. 6(1)(f) GDPR in conjunction with § 25(2) No. 2 TDDDG. Where consent for the storage of cookies and comparable recognition technologies has been requested, processing takes place exclusively on the basis of that consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); consent can be withdrawn at any time via the cookie banner.
Server log files
The provider of the pages (Cloudflare, see section 2) automatically collects and stores information in so-called server log files that your browser transmits automatically. These are:
- browser type and browser version
- operating system used
- referrer URL
- hostname of the accessing computer
- time of the server request
- IP address (truncated by Cloudflare)
This data is not combined with other data sources. Collection of this data takes place on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in a technically error-free presentation and optimisation of its website.
Contact form
If you send us enquiries via the contact form, the details you provide on the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing your enquiry and in case of follow-up questions. We do not pass on this data without your consent. Fields processed: name, email address, optionally telephone number, preferred location, free-text message.
Processing of this data takes place on the basis of Art. 6(1)(b) GDPR insofar as your enquiry is connected with the performance of a contract or is required for the carrying out of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of enquiries directed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR).
Storage period: the data will remain with us until you ask us to delete it or until the purpose for storing it ceases to apply (e.g. once your matter has been fully handled). Mandatory statutory retention periods — in particular those concerning treatment contracts — remain unaffected.
Appointment request
You can submit an appointment request via the appointment form. Fields processed: name, contact details (email, phone), preferred location, requested service (physiotherapy, osteopathy, Heilpraktik, occupational therapy, neurofeedback), preferred date and free text. Stating a requested service may constitute an indication of health data within the meaning of Art. 9(1) GDPR.
The legal basis for processing the contact data is Art. 6(1)(b) GDPR (initiation of a treatment contract). The processing of any health data contained in your enquiry takes place on the basis of Art. 9(2)(h) GDPR in conjunction with § 22(1) No. 1 lit. b BDSG (purposes of preventive healthcare or care in the health sector) and, additionally, on the basis of your consent pursuant to Art. 9(2)(a) GDPR, which you give by submitting the form.
Enquiry data is stored until the appointment is confirmed or declined and is then incorporated into the patient file, if a treatment relationship comes about.
Application form
You can use the application form to apply for advertised or speculative positions. Fields processed: name, contact details, desired position, cover letter, optionally a PDF/DOCX attachment (CV, references).
The legal basis is § 26(1) BDSG in conjunction with Art. 6(1)(b) GDPR (initiation of an employment relationship) and our legitimate interest under Art. 6(1)(f) GDPR in an effective applicant selection.
Storage period: applicant data is stored for a maximum of six months after completion of the application procedure (to preserve any claims under the General Equal Treatment Act, AGG) and is then deleted, unless a longer storage period is required in the context of an employment relationship in the event of hiring, or unless you have expressly consented to longer storage (e.g. for inclusion in an applicant pool).
Course registration
You can register for prevention and movement courses via the course registration form. Fields processed: name, contact details, chosen course and, where applicable, health-insurance information (if you wish to take part in a subsidised offering under § 20 SGB V).
The legal basis is Art. 6(1)(b) GDPR (initiation of a contract for course participation); for any health data, additionally Art. 9(2)(h) GDPR in conjunction with § 22(1) No. 1 lit. b BDSG.
Patient data in the practice
In the context of outpatient treatment we process the data required for the performance of the treatment contract pursuant to Art. 9(2)(h) GDPR, in particular master and contact data, anamnesis, findings and treatment data, prescriptions and billing data.
Retention periods arise from § 630f BGB, the professional codes, the X-ray Ordinance (Röntgenverordnung) and obligations under tax law. Patient records are generally retained for at least 10 years; specific statutory retention periods may be longer.
5. Embedded services and plugins
Google Fonts (locally hosted)
This site uses what are known as Google Fonts, provided by Google, for the consistent display of typefaces. The fonts are installed locally in our edge bundle; no connection to Google servers takes place when this site is accessed.
OpenStreetMap (maps)
To display our practice locations we use maps from the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom ("OSMF"). When a map is loaded, your browser establishes a connection to OSMF's tile servers and transmits, in particular, your IP address and technical browser data. We have no influence over this.
Legal basis is Art. 6(1)(f) GDPR (legitimate interest in an appealing presentation of our locations). The transfer to the United Kingdom is covered by an adequacy decision of the European Commission.
Details: wiki.openstreetmap.org/wiki/Privacy_Policy.
Microsoft Clarity (only with consent)
If you have expressly consented via the cookie banner, we use Microsoft Clarity (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) to analyse user behaviour. Clarity records heatmaps and anonymised session replays so weaknesses in navigation and form flow can be identified. Input into form fields is automatically masked by the provider; free-text entries (e.g. in the contact or appointment form) are not visible in the replay.
Before consent is given, the Clarity tag is not loaded. The data processed includes: truncated IP address, browser and device information, pages visited, click and scroll behaviour and a masked replay recording of the session.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent). Consent can be withdrawn at any time via the banner withdrawal option.
Microsoft is certified under the EU-US Data Privacy Framework; we have a data- processing agreement with Microsoft Ireland pursuant to Art. 28 GDPR. Further information: learn.microsoft.com/clarity/data.
Google Analytics 4 (only with consent)
If you have expressly consented via the cookie banner, we use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) for an extended analysis of user behaviour. Before consent is given, the Google Analytics tag is not loaded; without consent, no analytics cookie leaves your browser.
The data processed includes, among other things, a truncated IP address, browser and device information, page views, time spent and click paths. The legal basis is Art. 6(1)(a) GDPR and § 25(1) TDDDG; consent can be withdrawn at any time via the banner withdrawal option.
A data transfer to the USA cannot be ruled out. Google is certified under the EU-US Data Privacy Framework (DPF). Further information: policies.google.com/privacy.
GlitchTip (error monitoring, self-hosted)
To detect technical errors and crashes we use GlitchTip, an open-source alternative to Sentry. The GlitchTip instance is operated exclusively on our own servers within the EU (Hetzner Germany) — there is no transfer to third countries.
In the event of an error the following is transmitted: IP address, information about the device and browser, stack trace and the steps that led to the error. Personal entries from forms are removed server-side before transmission to GlitchTip ("data scrubbing").
Legal basis is Art. 6(1)(f) GDPR (legitimate interest in the error-free operation of the website).
Resend (transactional email delivery)
For sending the confirmation and notification emails that arise in connection with your contact, appointment, course or job application requests, we use the service of Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Recipient email, subject and the mail content are transferred to Resend.
A data-processing agreement pursuant to Art. 28 GDPR has been concluded with Resend. The data transfer to the USA is based on the European Commission's Standard Contractual Clauses and on the EU-US Data Privacy Framework.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in reliable delivery of transactional emails).
Cloudflare R2 (media storage)
Media content uploaded via the content management system (images, PDF flyers) is stored in Cloudflare R2's EU cluster. Processor and legal basis as described in section 2.
WebMCP (browser AI integration)
Our website offers four so-called "tools" via the WebMCP interface (Model Context Protocol in the browser). These allow an AI assistant that you yourself run in your browser to carry out structured tasks (appointment suggestion, location information, service overview, job application). No personal data is transferred to external providers — the tools are registered locally in your browser. Browsers without WebMCP support silently ignore the feature.
6. Audio and video conferences
No audio or video conferencing tools are currently embedded in this website. Should we communicate with you outside of this website using such tools, we will inform you accordingly on a case-by-case basis.
7. Contact for data-protection questions
For questions about the processing of your personal data, the exercise of your rights or the withdrawal of a consent, you can reach us at kontakt@therapie-maliqi.de or by phone at 0341 9022766.